syslog-ng non-standard install generating AVC

[Daniel J Walsh]

Karsten Wade wrote:

>On Thu, 2004-12-30 at 22:43 -0500, Daniel J Walsh wrote:
>  
>
>>You could add these lines to syslog.te
>>    
>>
>
>Will it work to add them to local.te?
>
>  
>
Yes

>>can_exec(syslog_t, { bin_t shell_exec_t } )
>>allow syslogd_t etc_runtime_t:file { getattr read };
>>allow syslogd_t proc_kmsg_t:file write;
>>allow syslogd_t proc_t:file { getattr read };
>>allow syslogd_t sbin_t:dir search;
>>allow syslogd_t self:capability { chown fowner fsetid sys_admin };
>>    
>>
>
>I see these and a few more from using audit2allow.  How did you decide
>which to use?  Does can_exec() replace some of the rules?  These ones,
>at least:
>
>allow syslogd_t bin_t:file { execute execute_no_trans getattr read };
>allow syslogd_t shell_exec_t:file { execute execute_no_trans getattr
>read };
>
>
>  
>
Yes,  Seeing the execute priv, I relized what it is trying to do.  So 
just adding can_exec is usually
better than trying to explicitely give individual privs.  Also some 
times audit2allow will tell
you some process wants read privs, invariably it will ask for getattr as 
soon as I grant read, so we usually
give both privs right away.

>>There is some directory in /usr that needs to be relabeled
>>syslogd_var_run_t to eliminate the following
>>
>>allow syslogd_t usr_t:dir { add_name remove_name write };
>>allow syslogd_t usr_t:file { append create getattr read setattr unlink 
>>write };
>>    
>>
>
>In other words, relabel the directory in /usr so that these rules are
>not needed?
>  
>
Yes, not knowing which directory this is, but say their is a /usr/syslog 
directory,
relabel it via chcon

chcon -R -t syslogd_var_run_t /usr/syslog

You would also want to add an entry under file contexts for

/usr/syslog(/.*)?   system_u:object_r:syslogd_var_run_t

in either in policy/file_contexts/program/syslog.fc
or in policy/file_contexts/misc/misc.fc

>thx - Karsten
>  
>